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THE  EGA  CRITICAL  REQUIREMENTS  MODEL 


INTRODUCTION 

The  External  Communications  Security  (COMSEC)  Adapter  (ECA)  is  an  embedded  computing  device 
that  processes  message  traffic  for  a  network.  Its  functional  requirements  [1]  are  summarized  briefly  below  in 
Overview.  We  assume  that  the  network  in  which  the  ECA  resides  enforces  a  simple  security  policy  of  message 
data  confidentiality.  From  this  policy,  we  can  derive  critical  requirements  for  the  ECA.  A  critical  requirement 
is  a  constraint  on  a  system  that,  if  not  satisfied,  may  result  in  the  system  engaging  in  catastrophic  behavior. 
This  report^  presents  a  formal  model  of  the  ECA’s  critical  requirements.  First,  we  develop  an  informal  model 
of  the  requirements.  Then  we  formalize  that  model  by  using  the  Trace  Model  of  CSP  developed  by  Hoare 
[2,  3].  Our  exposition  of  the  ECA  formal  model  is  patterned  after  the  Secure  MiUtary  Message  System  model 

[4]. 


In  the  Overview  below,  we  identify  the  ECA’s  critical  requirements.  Next  we  present  the  informal  model 
and  then  the  formal  model.  The  Glossary  contains  definitions  of  ECA-specific  terms;  henceforth,  these  terms 
appear  in  SMALL  capital  letters. 


OVERVIEW 

The  ECA  partitions  the  network  in  which  it  resides  into  a  Red  Domain  for  processing  sensitive  infor¬ 
mation  and  a  Black  Domain  for  processing  nonsensitive  information.  Information  is  nonsensitive  if  its 
classification  level  does  not  exceed  the  classification  level  to  which  the  Black  Domain  is  trusted;  it  is  sen¬ 
sitive  otherwise.  The  ECA  has  four  external  interfaces:  a  Red  Interface  for  communicating  Messages 
with  the  Red  Domain,  a  Black  Interface  for  communicating  Messages  with  the  Black  Domain,  a 
Cryptographic  Interface  for  loading  a  Key,  and  a  Time  Interface  for  accepting  Time  signals.  The 
Cryptographic  Interface  and  the  Time  Interface  reside  in  the  Red  Domain. 

The  ECA  must  satisfy  two  important  functional  requirements:  the  ECA  shall  use  a  cryptographic  function, 
and  it  shall  use  a  bypass  eiround  that  function.  Encryption  makes  the  sensitive  portion  of  a  Message 
nonsensitive  so  that  the  Message  can  be  transmitted  over  an  untrusted  medium.  A  Message  can  be 
partitioned  into  a  Crypto  Data  portion,  which  contains  sensitive  text  supplied  by  the  user,  and  a  Bypass 
Data  portion,  which  contains  transmission  protocol  information.  The  Crypto  Data  must  be  encrypted  in 
the  Black  Domain.  The  Bypass  Data  cannot  be  encrypted  there,  because  the  network  routing  function 
resides  in  the  Black  Domain.  The  ECA  must  divert  the  Bypass  Data  around  the  cryptographic  function. 

Figure  1  illustrates  a  typical  scenario  for  using  the  ECA  in  a  network.  A  Message  is  transmitted  from 
some  Device  A  to  another  Device  B.  An  ECA  that  is  local  to  A  splits  the  Message  into  Bypass  Data 
and  Crypto  Data,  encrypts  the  Crypto  Data  by  using  the  cryptographic  function  Ek,  bypasses  the 
corresponding  Bypass  Data,  and  transmits  the  encrypted  Message  over  the  network  to  a  remote  ECA 
(that  is  local  to  B).  The  remote  ECA  decrypts  the  Crypto  Data  with  the  cryptographic  function  Dk- 
The  dashed  box  in  Fig.  1  represents  the  division  of  the  Red  Domain  and  the  Black  Domain.  Everything 
outside  of  the  dashed  box  resides  in  the  Red  Domain. 


CRITICAL  REQUIREMENTS 

The  network  must  enforce  the  confidentiality  of  information;  users  shall  not  obtain  information  for  which 
they  are  not  authorized.  This  is  partially  achieved  by  the  distribution  of  the  cryptographic  Key.  A  user’s 
local  ECA  receives  a  Key  that  is  appropriate  for  decrypting  the  information  that  the  user  is  authorized  to 
obtain. 

Manuscript  approved  June  25,  1992. 
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Figure  I:  The  EGA  in  a  network 


However,  Key  distribution  alone  is  not  sufficient  to  enforce  data  confidentiality.  The  EGA  must  ensure 
that  sensitive  information  does  not  enter  the  unprotected  Black  Domain.  Since  the  EGA  communicates 
with  Devices  in  the  Black  Domain  over  its  Black  Interface,  we  have  the  following  critical  requirement 
for  the  EGA: 


Restricted  Red— To-Black  Flow.  Sensitive  information  shall  not  be  transmitted  over  the 
Black  Interface  to  the  Black  Domain. 

The  obvious  response  to  satisfying  Restricted  Red-To-Black  Flow  is  to  encrypt  the  Grypto  Data 
of  every  MESSAGE  before  the  Message  is  transmitted  over  the  Black  Interface.  However,  sensitive 
information  can  also  reside  in  the  Bypass  Data;  a  Device  could  inadvertently  or  maliciously  encode  sensitive 
information  in  the  BYPASS  Data.  For  example,  a  Message  can  be  ill-formed  so  that  its  “Bypass  Data” 
actually  includes  some  Grypto  Data.  The  EGA  must  determine  what  belongs  in  the  Bypass  Data  of 
a  Message  and  what  does  not.  This  is  accomplished  through  Format  Ghecks  on  the  Bypass  Data. 
However,  although  the  Format  Ghecks  are  thorough,  they  do  not  ensure  perfect  confidentiality.  The  EGA 
must  also  constrain  the  Bypass  Rate  of  the  Bypass  Data  so  that,  even  if  sensitive  information  is  released, 
the  bandwidth  is  small.  Finally,  the  EGA  must  ensure  that  all  Messages  (that  were  not  generated  internally) 
are  transmitted  over  the  Black  Interface  in  the  order  they  were  received,  and  each  Messagf  must  be 
transmitted  only  once.  This  last  constrmnt  is  designed  to  restrict  covert  signading  initiated  within  the  EGA, 
e.g.,  by  a  Tl-ojan  horse;  it  is  not  intended  to  address  signading  initiated  by  the  EGA’s  environment,  i.e., 
externad  to  the  EGA.  In  generad,  we  are  concerned  primairily  with  the  obvious  covert  storar  j  channels. 

The  issues  discussed  above  suggest  some  derived  critical  requirements  for  the  EGA.  These  requirements, 
together  with  importamt  assumptions  about  the  EGA’s  operating  environment,  are  identified  in  the  informal 
model  described  below. 


INFORMAL  MODEL 


The  functionad  requirements  described  in  Ref.  1  do  not  need  to  be  modeled  to  argue  that  an  implementa¬ 
tion  enforces  Restricted  Red-To-Black  Flow.  Instead,  we  model  only  those  critical  requirements  that, 
if  not  enforced,  could  compromise  Restricted  Red-To-BIack  Flow.  This  section  presents  an  informal 
model  of  those  critical  requirements. 

While  the  functional  requirements  discuss  the  operating  states  of  the  EGA,  the  informal  model  ignores 
them:  the  EGA  must  preserve  Restricted  Red-To-BIack  Flow  regardless  of  its  operating  state.  The 
informal  model  constradns  the  EGA’s  behavior  only  when  the  EGA  is  attached  to  a  network;  otherwise. 
Restricted  Red-To-Black  Flow  has  little  meaning.  For  example,  a  system  administrator  loads  the 
cryptographic  Key,  the  Format  Gheck  parameters,  and  the  Bypass  Rate  parameters  during  the  EGA’s 
system  configuration,  but  this  action  occurs  while  the  EGA  is  disconnected  from  the  network. 
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Each  of  the  critical  requirements  identified  in  Informal  Assertions  suggests  a  “mechanical  check”  of  a 
Message  before  it  is  transmitted  over  the  Black  Interface.  All  Messages  must  satisfy  the  intent  of 
these  requirements,  but  because  of  operational  constraints,  not  all  Messages  will  undergo  the  mechanical 
check.  The  EGA  may  exempt  ccrteiin  Messages  from  these  checks  with  the  understanding  that  these 
Messages  would  otherwise  satisfy  the  constraint. 


User’s  View  of  Operation 

The  EGA  is  an  embedded  system.  It  has  no  human  users,  so  a  “user’s”  view  of  its  operation  must  be 
interpreted  for  the  Devices  to  which  it  connects. 

A  Device  communicates  with  the  EGA  over  one  interface  only.  A  Device  in  the  Red  Domain  engaged 
in  transmitting  and  receiving  Messages  communicates  over  the  Red  Interface;  similarly  for  a  Device  in 
the  Black  Domain.  The  Device  communicates  with  the  EGA  by  using  an  established  protocol.  Progress 
of  a  transmitted  Message  can  be  relayed  to  the  originating  Device  if  the  notification  does  not  violate  the 
critical  requirements. 

The  Time  Interface  and  the  Grypto  Interface  affect  communications  over  the  Red  Interface  and 
the  Black  Interface  but  are  not  accessible  to  the  latter  interfaces.  The  Grypto  Interface  is  accessed 
only  during  system  configuration,  when  the  EGA  is  disconnected  from  the  network.  We  rely  on  administrative 
procedures  to  ensure  the  Key  is  not  loaded  while  the  EGA  is  connected.  No  facilities  to  load  a  Key  remotely 
are  provided. 


Assumptions 

To  enforce  Restricted  Red-To-Black  Flow,  the  environment  in  which  the  EGA  operates  must  obey 
certain  restrictions.  Because  the  EGA  cannot  control  its  environment,  these  restrictions  represent  assump¬ 
tions  on  the  proper  operation  of  the  EGA  that  must  be  validated  before  the  EGA  is  used. 

1.  Physically  Secure  -  the  EGA  operates  in  a  physical  environment  appropriate  for  the  data  it  processes, 
i.e.,  it  is  physically  secure. 

2.  Valid  Formats  -  the  Format  Gheck  parameters  are  installed  properly  (while  the  EGA  is  discon¬ 
nected  from  the  network)  and  are  appropriate  for  the  Message  Set  and  the  network’s  data  confiden¬ 
tiality  policy. 

3.  Vedid  Bypciss  Rates  -  the  Bypass  Rate  parameters  Eire  installed  properly  (while  the  EGA  is  dis¬ 
connected  from  the  network)  and  are  appropriate  for  the  Message  Set,  the  central  processing  unit 
(GPU)  used  by  the  EGA,  and  the  network’s  data  confidentiality  policy. 

4.  Valid  Crypto  Algorithm  -  the  EGA  is  loaded  with  a  cryptographic  algorithm  and  protocol  (while 
the  EGA  is  disconnected  from  the  network)  that  is  appropriate  for  the  Message  Set  being  processed 
and  the  network’s  data  confidentiality  policy. 

5.  Authentication  -  Devices  gain  access  to  the  services  provided  by  the  EGA  only  after  being  authen¬ 
ticated. 

6.  Key  Distribution  -  the  Key  distribution  procedures  for  the  network  are  appropriate  for  the  network’s 
data  confidentiality  policy. 

7.  Fixed  Key  ~  the  Key  that  is  used  to  encrypt  Messages  does  not  change  while  the  EGA  is  connected 
to  the  network.^ 

^We  include  this  assumption  because  it  simplifies  our  formal  exposition  of  the  critical  requirements. 


3 


PAYNE,  MIHELCIC,  MOORE,  AND  HAYMAN 


8.  Valid  Clock  -  the  Clock  used  by  the  EGA  communicates  Time  to  the  EGA  in  a  monotonically 
increasing,  hnear  fashion. 

9.  Valid  Exemptions  -  a  Message  that  is  exempt  from  one  or  more  of  the  requirements  in  Informal 
Assertions  satisfies  the  intent  of  the  requirement(s)  from  which  it  is  exempt. 


Informal  Assertions 

The  following  critical  requirements  shall  be  enforced  by  the  EGA.  Messages  that  are  exempt  frcsn  one 
or  more  of  these  requirements  shall  be  identified  prior  to  the  installation  of  the  EGA  at  a  site. 

1.  Correct  Encryption  -  the  Crypto  Data,  if  any,  of  every  Message  transmitted  over  the  Black 
Interface  shall  be  encrypted  before  transmission. 

2.  Correct  Format  -  a  Message  shall  be  transmitted  over  the  Black  Interface  only  if  the  Message 
satisfies  the  Format  Check  restriction;  the  value  of  each  Field  of  the  Bypass  Data  must  be  within 
a  predetermined  range;  the  length  of  each  Field  must  match  a  predetermined  length  for  that  Field; 
and  the  overall  length  of  the  Bypass  Data,  as  specified  by  a  Field  within  the  Bypass  Data,  must 
equal  the  sum  of  the  lengths  of  the  Fields  of  the  Bypass  Data. 

3.  Correct  Bypass  Rate  -  the  Actual  Bypass  Rate  for  Bypass  Data  around  the  cryptographic 
function,  from  the  Red  Domain  to  the  Black  Domain,  shall  not  exceed  the  Allowed  Bypass 
Rate.  The  Actual  Bypass  Rate  is  the  amount  of  Bypass  Data  actually  diverted  divided  by  the 
Time  elapsed.  The  Allowed  Bypass  Rate  is  the  amount  of  Bypass  Data  that  could  have  been 
diverted  divided  by  the  Time  elapsed.  The  Allowed  Bypass  Rate  is  bounded  from  above  by  a 
prespecified  constant  rate. 

4.  Correct  Order  -  every  Message  that  is  not  generated  internally  and  that  is  transmitted  over  the 
Black  Interface  shall  be  transmitted  in  the  same  order  in  which  it  was  received  by  the  Red  Inter¬ 
face,  and  it  shall  be  transmitted  only  once. 


FORMAL  MODEL 

In  this  section,  we  offer  a  formal  statement  of  the  structure  and  assertions  of  the  informal  model.  The 
assumptions  of  the  informal  model  aie  still  valid,  but  they  are  not  repeated  here.  The  CSP  TVace  Model 
from  Refs.  2  and  3  is  the  computational  paradigm  for  the  formal  model.  It  permits  the  specification  of 
correct  behavior  in  terms  of  a  system’s  external  inputs  and  outputs.  More  importantly,  this  paradigm  is  the 
foundation  for  our  proposed  decomposition  method  [5]. 

The  critical  requirements  from  Informal  Assertions  are  formalized  in  terms  of  the  EGA’s  six  external 
communication  Ghannels.  Our  previous  illustration  of  the  EGA  (Fig.  1)  is  refined  in  Fig.  2  to  include  the 
Ghannel  set  introduced  below.  In  general,  if  a  Message  enters  the  EGA  over  RI  and  satisfies  all  of  the 
restrictions  defined  in  Informal  Assertions,  it  will  exit  over  BO.  Similarly,  if  a  Message  enters  the  EGA 
over  BI,  it  will  exit  over  RO.  The  Time  is  input  over  TI.  The  Key  enters  the  EGA  over  Cl  only  while  the 
EGA  is  disconnected  from  the  network. 
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Network 


Definitions 

Sequences  and  traces  are  fundamental  to  the  model.  A  sequence  S  =  (01,02,03, .. .  ,o„)  is  an  ordered 
list  that  is  defined  under  reflexivity,  antisymmetry,  and  tramsitivity  over  a  precedence  operator  -<  such  that 
oi  -<  02  -<  03 . . .  -<  a„.  The  sequence  is  composed  of  elements,  e.g.,  oi,  from  some  set  A.  The  length  of 
S  is  denoted  #S.  The  ith  element  of  5  is  accessed  by  The  last  element  can  be  accessed  by  5[#5], 

which  for  simplicity  shall  be  denoted  Sust-  All  but  the  last  element  can  be  accessed  by  Snmiast-  An  empty 
sequence  is  denoted  () . 

A  trace  t  =  (ei,  62, 63, , e„)  of  a  process  P  is  a  sequence  of  conununication  events  Ci  G  aP,  where  aP 
is  the  alphabet  of  allowed  events  for  process  P,  in  which  P  has  engaged  at  some  point  in  time  [2j.  An  event 
is  of  the  form  c/i.u,  where  ch  is  the  Channel  over  which  the  communication  occurred  and  v  is  the  value 
communicated.  The  operator  <  denotes  that  one  trace  is  a  prefix  of  another.  For  example,  s  <  t,  where 
s  and  t  are  both  traces,  indicates  that  s  is  a  prefix  of  t.  The  expression  t  I  ch  denotes  the  sequence  of 
communications  over  Channel  ch  recorded  in  trace  t. 

In  the  definitions  below,  N  denotes  the  natural  numbers,  I  the  integers,  and  Q  the  rational  numbers. 
Unit  is  an  unspecified  primitive  entity.  For  example,  a  Unit  is  the  smallest  component  of  a  Message.  A 
Message  is  a  finite  sequence  of  Units.*  The  following  data  types,  constants,  and  functions  are  defined  for 
the  formal  model: 

M  is  the  set  of  Messages  that  can  be  processed  by  the  ECA,  where  each  Message  is  a  finite  sequence  of 
Units.  Four  subsets  of  MESSAGES  are  identified:  Mef  Q  M  that  is  exempt  from  format  restrictions; 
Meb  C  M  that  is  exempt  from  bypass  rate  restrictions;  Mec  Q  M  that  is  exempt  from  encryption, 
e.g.,  all-bypass  Messages;  and  Mia  Q  M  represents  Messages  that  originate  within  the  ECA. 

F  is  a  set  of  Fields,  where  each  Field  is  a  finite  sequence  of  Units  and  represents  a  value.  The  function 
valueF:  P  — » I  returns  the  value. 

B  is  a  set  of  Field  sequences,  where  each  Field  sequence  (representing  the  Bypass  Data  of  a  Message) 
is  a  finite  sequence  of  elements  from  F.  The  function  lengthB:  B  — >  N  returns  the  declared  length  of 
the  Bypass  Data.  The  declared  length  is  specified  by  a  Field  in  the  sequence.  The  function  Byp: 
M  B  extracts  the  Bypass  Data  for  a  particular  Message. 

fl  is  a  set  of  restrictions,  where  each  restriction  has  a  length  value,  a  lower  bound  value,  and  an  upper  bound 
value.  The  function  lengthR:  B  — ►  N  returns  the  length  value.  The  function  IwrbndR:  R  —*  I  returns 
the  lower  bound  value.  The  function  uprbndR:  B  — >  I  returns  the  upper  bound  value. 

RS  is  the  set  of  restriction  sequences  that  specify  the  criteria  for  the  Format  Checks.  Each  restriction 
sequence  is  a  finite  sequence  of  elements  from  B. 

C  is  the  set  of  Crypto  Data.  Each  Crypto  Data  is  a  finite  sequence  of  Units.  The  function  Crp: 
(M  -  Mec)  C  extracts  the  Crypto  Data  for  a  particular  Message. 

®Thi8  definition  of  indexing  is  slightly  different  from  Hoare’s  description  on  page  20  of  Ref.  2.  Hoare’s  traces  are  indexed 
from  0,  but  we  prefer  to  index  from  1. 

^A  Unit  can  be  thought  of  as  a  single  bit,  i.e.,  a  Message  is  a  finite  sequence  of  hits.  However,  Unit  can  also  represent  a 
byte.  We  decided  that  it  was  unnecessary  to  specifr  the  underlying  representation  here. 
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Z  is  the  set  of  Time  values,  and  Z  C  N.  ZO  represents  the  initial  Time  value  received  by  the  EC  A. 

Ch  is  the  set  of  external  communication  Channels  Ch  =  {RI,  RO,  BI,  BO,CI,TI}  for  the  EGA.  See 
Fig.  2. 

EC  A  is  a  process.  The  alphabet  of  EGA,  aECA,  is  {RI  .m,  RO.m,  BI  .m,  BO.m,  C I  .k,TI  .z  \  m  e  M  Ak  £ 

K  A  z  £  Z}  where  K  is  the  set  of  cryptographic  Keys. 

T  is  the  universe  of  traces,  i.e.,  the  union  of  trace  sets  of  all  imaginable  processes.  Formally,  T  =  traces{CHAOS  u) 
where  U  is  the  universe  of  events  and  CHAOS  is  a  process  that  can  engage  in  any  event  at  any  time. 
(See  Ref.  2,  p.  126.) 

ECAEncrypt  is  the  cryptographic  encryption  transform  ECAEncrypt.M  — »  C  that  is  applied  by  the  EC  A 
to  Crypto  Data.  ECAEncypt  is  subject  to  NSA  Type  I  cryptographic  constraints. 

<5  is  the  Allowed  Bypass  Rate,  and  (5  e  Q. 

a  is  the  initial  number  of  Units  permitted  to  bypass  the  cryptographic  function  of  the  EC  A,  and  er  £  N. 

T  is  the  transformation  function  E  :  M  —*  M  that  the  EGA  applies  to  a  Message;  Crp{E{m))  = 
ECAEncryptlm)  where  m£  M. 


Formal  Assertions 

In  the  following  assertions,  t\  €  T. 

1.  EC  A  sat  CorrectEncryption 

CorrectEncryption(<l ) 

=  Vt2  €  T,Vml  €  M  ; 

((t2  <  tl  A  f2  ^  0  A  t2iaat  =  BO.ml  A  ml  ^  Mec) 
(3t3  £  T,  3m2  £  (M  — Mec)  : 
t3  <  t2  A  0 

=  RI  'in2  V  m2  e  Mia) 

ACrp(ml)  <  ECAEncrypt(m2))) 


\  Message  that  is  subject  to  encryption  and  is  leaving  the  Black  Interface  of  the  ECA  must  be  the 
encrypted  transformation,  specifically  ECAEncrypt,  of  some  other  Message  that  was  received  previously  at 
the  Red  Interface  or  was  generated  internally  by  the  ECA. 

2.  ECA  sat  Correct  For  mat 

CorrectFormat(tl) 

=  Vt2  e  r,Vml  e  M  : 

((<2  <  tl  A  (2  ^  (}  A  t2(ast  =  BO.ml  A  ml  ^  Mef) 

^{lengthB{Byp{ml))  =  #(Byp(ml)[i]) 

A(3rsl  €  RS',Vi  e  N  : 
i  >  1  Ai  <  #rsl 
A#(Byp(ml))  =  #rsl 
AvalueF{Byp{ml)[i])  >  lTm'6nd/i(r3l(t]) 

AvalueF{Byp{ml)[i])  <  uprbndR{rsl[i]) 

A#(Byp(ml)[i])  =  leng</iR(rsl[z])))) 
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All  Messages  transmitted  from  the  Black  Interface  of  the  EGA  must  satisfy  the  Format  Check; 
the  declared  length  of  the  Bypass  Data  must  equal  the  actual  length;  the  value  of  each  Field  must  be 
within  range;  and  the  length  of  the  Field  must  satisfy  the  restriction. 

3.  EGA  sat  CorrectBypassRate 

CorrectBypassRate(t  1 ) 

=  Vt2  e  T,Vml  e  M  : 

{{t2  <tl/\t2^{)A  t2iaat  =  BO.ml  A  ml  ^  Mbb) 

3zl  €  Z  : 

(TI.zl  in  t2 

ATotalBypass{t2)  <  a  +  6  x  (zl  —  ZO))) 


TotalBypass{t)  =  if  t  =  ()  V  =  TI.ZO  then  0 

elseif  tiaat  —  BO.m  Am  ^  Meb  then  lengthB{Byp{m))  +  TotalBypciss{t„oniast) 
else  TotalBypass{tnoniaat) 

The  amount  of  Bypass  Data  that  can  exit  the  Black  Interface  is  determined  by  Allowed  Bypass 
Rate,  the  Time  that  has  elapsed  and  the  amount  of  Bypass  Data  already  diverted  around  the  cryptographic 
function. 

4.  EGA  sat  CorrectOrder 

CorrectOrder(<l) 

=  (a  i  BO)  <  (tl  i  RI) 


si  <  a2  =  si  =  0 

V(s2  5^() 

^^^nonlast  ^ 

aat) 

A(51  ^  ^2non(ast 

V(3m  €  Mic  :  sl/ast  = 
Aslnonlaat  ^  ^2))))) 


The  number  of  Messages  transmitted  over  the  Black  Interface  (ignoring  internally  generated  Mes¬ 
sages)  must  not  be  greater  than  the  number  of  Messages  received  over  the  Red  Interface,  and  each 
Message  must  have  been  transmitted  only  once  and  in  the  order  it  was  received. 


INFORMAL  MODEL  CORRESPONDENCE 

The  assertions  of  the  Informal  Model  correspond,  one  to  one,  with  those  of  the  Formal  Model;  however, 
the  Formal  Model  fails  to  restate  completely  the  critical  requirements  of  the  Informal  Model.  Namely,  the 
formal  assertion  GorrectBypassRate  restates  only  partially  the  informal  assertion  Gorrect  Bypass  Rate. 

The  informal  assertion  includes  the  constraint:  “The  Allowed  Bypass  Rate  is  bounded  from  above 
by  a  prespecified  constant  rate.”  We  decided  that  the  benefits  of  specifying  this  constraint  formally  were 
outweighed  by  the  complexity  of  the  result.  The  formal  specification  was  unwieldy  and  difficult  to  compre¬ 
hend.  We  felt  that  it  inhibited  our  ability  to  reason  effectively  about  the  critical  requirement  Gorrect  Bypass 
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Rate  as  a  whole.  We  decided  that  other  means  would  have  to  be  explored  for  gaining  assurance  that  this 
constraint  is  enforced. 

ADDITIONAL  CLARIFICATIONS 

This  section  clarifies  certain  aspects  of  the  formal  model  to  facilitate  the  interpretation  of  the  model. 

1.  While  the  sets  Mbf,  Meb,  Mbc,  and  Mjg  are  all  subsets  of  Af,  their  intersection  is  not  empty 
necessarily. 

2.  For  some  MESSAGE  Sets,  the  “declared  length”  returned  by  the  function  lengthB  may  not  represent 
the  entire  Bypass  Data  but  only  a  portion  of  it.  For  such  Messages,  lengthB  must  add  the  length 
of  the  remainder  to  its  returned  value.  Since  this  added  value  should  be  constant  for  many  Message 
Sets,  the  effort  to  represent  it  in  the  model  did  not  seem  justified. 

3.  The  lower  bound  lwrbndH{r)  of  every  restriction  Vr  €  /i  should  be  less  than  or  equal  to  the  upper 
bound  uprbndR{r).  If  the  lower  bound  is  strictly  greater  than  the  upper  bound,  then  the  consequent  of 
CorrectFormat  is  always  false,  and  no  useful  system  can  satisfy  the  assertion.  Although  this  behavior 
is  secure,  it  is  probably  not  desirable. 

4.  The  Allowed  Bypass  Rate  6  should  be  positive.  A  negative  value  for  6  will  prevent  any  bypass 
after  a  period  of  time,  since  the  right-hand  side  of  the  consequent  of  CorrectBypassRate  will  become 
negative  (and  the  left-hand  side  never  can  be).  Although  this  behavior  is  secure,  it  is  probably  not 
desirable. 
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GLOSSARY 

The  following  terms  have  specific  meaning  for  the  EGA. 

Actual  Bypass  Rate  -  the  amount  of  Bypass  Data  actually  diverted  around  the  cryptographic  function 
divided  by  the  Time  elapsed. 

Allowed  Bypass  Rate  -  the  amount  of  Bypass  Data  that  could  have  been  diverted  around  the  crypto¬ 
graphic  function,  divided  by  the  Time  elapsed. 

Black  Domain  -  a  region  for  processing  nonsensitive  information,  i.e.,  for  processing  format-  and  rate- 
checked  Bypass  D\ta  and  encrypted  Crypto  Data. 

Black  Interface  -  the  set  of  external  Channels  for  communicating  with  the  Black  Domain. 

Bypass  Data  -  that  part  of  a  Message  that  is  diverted  around  the  cryptographic  function. 

Bypass  Rate  -  the  rate  of  the  diversion  of  Bypass  Data  around  the  cryptographic  function,  as  measured 
in  relative  terms. 

Channel  -  a  communication  link. 

Clock  -  a  source  for  Time. 

Crypto  Data  -  that  part  of  a  Message  targeted  for  encryption/decryption. 

Crypto  Interface  -  an  external  Channel  from  the  Red  Domain  for  loading  the  Key. 

Device  -  hardware  capable  of  requesting  EGA  services. 

Field  -  an  identifiable  subsequence  of  the  Bypass  Data. 

Format  Check  -  a  test  that  determines  whether  the  Bypass  Data  of  a  Message  is  suitable  for  bypass 
through  the  EGA. 

Key  -  a  seed  for  a  cryptographic  device. 

Message  -  a  block  of  data  processed  by  the  EGA. 

Message  Set  -  all  possible  Messages  that  can  be  transmitted  across  the  network. 

Red  Domain  -  a  region  for  processing  sensitive  data,  i.e.,  for  processing  Bypass  Data  and  unencrypted 
Crypto  Data. 

Red  Interface  -  the  set  of  external  Channels  for  communicating  with  the  Red  Domain. 

Time  -  a  discrete  value. 

Time  Interface  -  an  external  Channel  from  the  Red  Domain  for  inputting  Time. 
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